Major Description
I stumbled into this bug when writing a unit test.
I was making sure that signature validation did not pass under the following conditions:
```
header + "x" + "." + payload + "." + signature
header + "." + payload + "x" + "." + signature
header + "." + payload + "." + signature + "x"
```
2 of the 3 correctly failed to validate because the signature was invalid, however the first case still passed signature validation. This puzzled me so I read the code to figure out what was going on.
```
JWS jws = new JWSReader().read(jwt);
CustomSignatureMethod signatureMethod = new CustomSignatureMethod();
CustomPublicKey customPublicKey = new CustomPublicKey(keyPair.getPublic());
return jws.validate(signatureMethod, customPublicKey);
```
When you look at the JWSReader you will see:
```
Builder jwsBuilder = new Builder();
(new JWSHeaderParser(jwsBuilder)).read(decodedHeader);
return jwsBuilder.setPayload(decodedBody).setSignature(encodedSignature).build();
```
So clearly the JWSHeaderParser's read implementation isn't reading the entire contents of decodedHeader (which I confirmed is the entire header).
Inside of the class public abstract class CustomizableEntityReader<E, B extends CustomizableBuilder<E>>
you would find three places that return early. Two of them look like this:
```
case '}':
return;
```
So as soon as the closing } in the JSON is read the remaining bytes are not parsed.
This is bad because it means that signature validation passes when it clearly should not.
My short term fix conceptually looks like this:
```
case '}':
if ( x.more() )
return;
```
I'm not sure that this is exploitable at the moment, but it allows extra data to be passed in JWTs and it causes many tokens to pass signature validation instead of just the actually valid token.